Collection and use of electronic signatures by courier company

PIPEDA Case Summary #2002-71

Complaint

In separate complaints two parcel recipients alleged that a courier company had improperly collected their personal information by demanding their electronic signature upon delivery of parcels and then posted the signatures on the company Web site without consent. One of the complainants also expressed concern about the potential for subsequent non-consensual use and disclosure of his electronic signature by the company.

Summary of Investigation

When asked to sign electronically for receipt of a parcel, the first complainant expressed his preference for signing a paper receipt, but was told that unless he provided an electronic signature he would not receive his parcel. The complainant provided his electronic signature under protest and took possession of his parcel. He later made e-mail inquiries of the company to determine whether electronic signatures were indeed mandatory under company policy or whether allowances were made for persons who preferred to sign paper. Replies indicated only that obtaining electronic signatures was company policy.

After agreeing to provide a signature electronically to indicate receipt of a delivery by the company in question, the second complainant discovered that this electronic signature had been placed in the tracking section of the company Web site, along with his name and address and the delivery status of the parcel in question. When he asked that his electronic signature be removed, a company representative told him it was not possible.

The Commissioner's investigation into the company's practices regarding electronic signatures revealed the following:

• The company stores signatures obtained from parcel recipients in its tracking system, which is accessible at the company's Web site, and uses them in providing an online tracking service for its customers.
• By keying in the appropriate parcel identification number (PIN), a Web site user gains access to information about the corresponding shipment - specifically, name and address of the intended recipient, delivery status of the parcel and, once delivery is completed, the recipient's electronic signature.
• It is sometimes possible, by varying a digit of the PIN within a reasonable range, to gain access to names, addresses, and electronic signatures pertaining to other shipments - that is, the personal information of others.
• There was no evidence that the company had in any way informed the complainants of its intention to use their electronic signature on its Web site for online tracking purposes or sought consent for such use.
• At the time of the complaints, it was not company policy to remove signatures from the online tracking system at the request of individuals.

The company defended its use of electronic signatures as follows:

• Users of the Web site may gain access to the online tracking system only by entering a valid PIN.
• The possibility of manipulating a PIN so as to gain access to information about other shipments is limited to the approximately 21 percent of cases where customers opt to use PINs of their own, compatible with their own tracking systems, instead of PINs assigned by the courier company.
• The integrity of electronic signatures is protected by means of computer-generated distortion.
• It has been company policy to accept not only "alternate" electronic signatures (i.e., signatures different from those normally used by individuals), but also paper signatures as an alternative to electronic.
• At the time of the complaints, the company's delivery staff and customer service representatives were knowledgeable about the policy on alternatives to electronic signatures, including the alternative of paper signatures, and were ready and able to respond to inquiries in that regard.

The investigation did not turn up any description of alternatives to electronic signatures in the company literature. The evidence suggested that staff for the most part believed electronic signatures to be mandatory and were generally unaware of any acceptable alternative under company policy.

The company has taken some remedial action as follows:

• Company policy has been changed so as to allow individuals in future to have their signatures removed from the Web site on request. The revised policy has been published on the Web site, along with instructions to individuals and a toll-free number for having signatures removed. The company is in the process of ensuring that its delivery personnel and customer service representatives are aware of this change.

Commissioner's Findings

Issued September 5, 2002

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction because interprovincial courier companies are federal works, undertakings, or businesses as defined in the Act.

Application: Principle 4.3 of Schedule 1 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.3 states that an organization must not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of personal information beyond that required to fulfil the explicitly specified and legitimate purposes. Section 5(3) states that an organization may collect, use, or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances.

On the matter of use, the Commissioner determined as follows:

• The company had not informed the complainants of, or sought consent for, any use it intended to make of their electronic signatures beyond the immediate purpose of indicating receipt.
• Despite the requirement under Principle 4.3, there was no evidence that the company had ever made a practice of obtaining consent for its further intention of placing electronic signatures on its Web site and using them for the purpose of providing a tracking service to its customers.
• A reasonable person would not have considered such use appropriate in any circumstances, especially given the demonstrated potential for unauthorized disclosure of the signatures through simple manipulation of PINs.

The Commissioner found therefore that the company had been in contravention of Principle 4.3 and section 5(3).

On the matter of collection, the Commissioner determined as follows:

• Despite the company's contention that the alternative of accepting paper signatures had been covered under company policy at the time, there was no evidence to suggest that any such aspect of policy had been widely understood or implemented by the company's service representatives.
• There was little doubt that electronic signing had been presented to the complainants as their only option. The company had thus required the complainants to consent to the collection of the electronic signatures as a condition of the supply of service.
• The next question to be considered was whether the collection had been required to fulfil explicitly specified and legitimate purposes.
• As suggested above, the purpose of placing electronic signatures on the company Web site for use in tracking shipments was neither explicitly specified nor legitimate. Furthermore, the ostensible and immediate purpose for the collection had been to indicate receipt of a parcel, but that purpose could have been fulfilled by other means - notably, a signature on paper.
• An electronic signature could not then be said to have been a requirement for the fulfilment of the purpose.

In sum, the Commissioner determined that the electronic signatures had not been required to fulfil explicitly specified and legitimate purposes and that the company had therefore not been justified in demanding them as a condition of service. He found that the company had not complied with Principle 4.3.3.

He concluded that the complaints were well-founded.

Further Considerations

The Commissioner was pleased that the company is examining alternatives to collecting electronic signatures and posting them on its Web site. He has recommended that the company inform him within 90 days of the steps it proposes to take.